18. July 2022 #747
Replies: 2 comments 1 reply
-
I would like to present a summary of a grant proposal Chia-Che and I are working on, and get feedback/suggestions on the proposed Gramine work from the team. I expect we would need no more than 10 minutes. |
Beta Was this translation helpful? Give feedback.
-
We should discuss the problem of not being able to connect to the UNIX domain socket's path in the child process. Example from Nginx + PHP:
UPDATE: This was wrong. I guess I have misunderstood the problem. The root cause is actually that two independent Gramine instances (one Nginx, one PHP) wanted to communicate over the UNIX domain socket, and this is unsupported. |
Beta Was this translation helpful? Give feedback.
-
Agenda
(please write your proposed agenda items in comments under this discussion)
Enrico Borello's questions
Enrico and his team are at the phase of investigation (how to run Linux applications in SGX enclaves) and they found Gramine. The main question was about the general process of SGX remote attestation: "can custom, non-Intel-based attestation schemes be used?". Mona and Dmitrii explained the EPID and DCAP attestation schemes (the first one requires internet connectivity to verify the SGX quote via the Intel IAS web service, the latter has a "caching service" that may alleviate the need for constant internet connectivity but still relies on the Intel PCS web service).
Grant proposal from Chia-Che and Don
There is a proposal for NSF (National Science Foundation) funding, in the "Secure and Trustworthy Cyberspace: transition to practive" program. 4 years of funding, with different possible tasks around Gramine open source development:
Request for feedback: should Gramine work on boot camps or webinars? Should Gramine offer open hours?
Sockets rewrite and UNIX domain sockets
Issue: how can two Gramine instances (i.e., Gramine processes that were launched separately, e.g., in two Docker containers) communicate over UNIX Domain Sockets (UDS)?
The problem is that UDS communication is transparently TLS-encrypted by Gramine (think of UDS as "better version of UNIX pipes"). So if two processes want to communicate over UDS, they must possess the same master encryption key (because Gramine uses TLS-PSK for pipes and UDS). But two Gramine instances will not share any encryption keys, so they can't establish a secure TLS session over UDS.
Transparent encryption of UDS communication is a core design choice. We will not change this logic.
Currently, the only two solutions to this issue are:
Vijay mentioned that they have a similar scenario: two independent SGX enclaves are launched separately, and they would like to communicate over UDS. With current Gramine design, this is impossible.
Mona proposed an idea to implement something similar to RA-TLS (used for SGX remote attestation), but in a local fashion -- LA-TLS (used for SGX local attestation). The core concept will be similar to RA-TLS: during the TLS handshake, the two enclaves exchange SGX evidence (TARGETINFO and SGXREPORT), attest each other, and establish a secure channel (skipping the "normal PKI" verification of X.509 certificates). By verifying MRSIGNER and possibly MRENCLAVE, it will be possible to connect two independently launched SGX enclaves, but from the same "package".
Dmitrii believes it is viable, but LA-TLS will require a lot of effort/time to implement.
Beta Was this translation helpful? Give feedback.
All reactions